[SCM] Samba Shared Repository - branch v4-14-test updated

Jule Anger janger at samba.org
Tue Mar 29 10:33:02 UTC 2022


The branch, v4-14-test has been updated
       via  56018a50e76 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos
       via  50df8eb5921 WHATSNEW: Mention our matrix room as well
       via  abd61ad8995 WHATSNEW: IRC is irc.libera.chat according to https://www.samba.org/samba/irc.html
      from  1a1b789b2fe s4:kdc: redirect pre-authentication failured to an RWDC

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test


- Log -----------------------------------------------------------------
commit 56018a50e76521f287ac93671f18f1d741075507
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Feb 16 14:11:10 2022 +0100

    s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos
    
    Even if the msDS-KeyVersionNumber of the main krbtgt
    account if larger than 65535, we need to have
    the 16 upper bits all zero in order to avoid
    mixing the keys with an RODC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14951
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (similar to commit ab0946a75d51b8f4826d98c61c3ad503615009fe)
    
    Autobuild-User(v4-14-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-14-test): Tue Mar 29 10:32:05 UTC 2022 on sn-devel-184

commit 50df8eb592161e1a012ce483564c45e64e2203cd
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Mar 17 18:47:48 2022 +1300

    WHATSNEW: Mention our matrix room as well
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit abd61ad8995c6c6b65320ad906764a44e0d5d846
Author: Thomas Debesse <dev at illwieckz.net>
Date:   Tue Feb 15 14:11:45 2022 +0100

    WHATSNEW: IRC is irc.libera.chat according to https://www.samba.org/samba/irc.html
    
    Signed-off-by: Thomas Debesse <dev at illwieckz.net>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt          |  3 ++-
 source4/kdc/db-glue.c | 51 +++++++++++++++++++++++++++++++++++++++++++--------
 2 files changed, 45 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2f8e8c31500..eb0c73f9ae3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -416,7 +416,8 @@ Reporting bugs & Development Discussion
 #######################################
 
 Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
 
 If you do report problems then please try to send high quality
 feedback. If you don't provide vital information to help us track down
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aff74f2ee71..3a7e2176653 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -44,6 +44,9 @@
 #define SAMBA_KVNO_GET_KRBTGT(kvno) \
 	((uint16_t)(((uint32_t)kvno) >> 16))
 
+#define SAMBA_KVNO_GET_VALUE(kvno) \
+	((uint16_t)(((uint32_t)kvno) & 0xFFFF))
+
 #define SAMBA_KVNO_AND_KRBTGT(kvno, krbtgt) \
 	((krb5_kvno)((((uint32_t)kvno) & 0xFFFF) | \
 	 ((((uint32_t)krbtgt) << 16) & 0xFFFF0000)))
@@ -323,6 +326,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 						    enum samba_kdc_ent_type ent_type,
 						    struct sdb_entry_ex *entry_ex)
 {
+	struct sdb_entry *entry = &entry_ex->entry;
 	krb5_error_code ret = 0;
 	enum ndr_err_code ndr_err;
 	struct samr_Password *hash;
@@ -333,10 +337,12 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 	struct package_PrimaryKerberosBlob _pkb;
 	struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
 	struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
+	bool is_krbtgt = false;
+	int krbtgt_number = 0;
+	uint32_t current_kvno;
+	uint32_t returned_kvno = 0;
 	uint16_t i;
 	uint16_t allocated_keys = 0;
-	int rodc_krbtgt_number = 0;
-	int kvno = 0;
 	uint32_t supported_enctypes
 		= ldb_msg_find_attr_as_uint(msg,
 					    "msDS-SupportedEncryptionTypes",
@@ -345,6 +351,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 	if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
 		/* KDCs (and KDCs on RODCs) use AES */
 		supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
+		is_krbtgt = true;
 	} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
 		/* DCs and RODCs comptuer accounts use AES */
 		supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
@@ -369,9 +376,12 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 
 	/* Is this the krbtgt or a RODC krbtgt */
 	if (is_rodc) {
-		rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
+		krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
 
-		if (rodc_krbtgt_number == -1) {
+		if (krbtgt_number == -1) {
+			return EINVAL;
+		}
+		if (krbtgt_number == 0) {
 			return EINVAL;
 		}
 	}
@@ -454,11 +464,20 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 		goto out;
 	}
 
-	kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
-	if (is_rodc) {
-		kvno = SAMBA_KVNO_AND_KRBTGT(kvno, rodc_krbtgt_number);
+	current_kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
+	if (is_krbtgt) {
+		/*
+		 * Even for the main krbtgt account
+		 * we have to strictly split the kvno into
+		 * two 16-bit parts and the upper 16-bit
+		 * need to be all zero, even if
+		 * the msDS-KeyVersionNumber has a value
+		 * larger than 65535.
+		 *
+		 * See https://bugzilla.samba.org/show_bug.cgi?id=14951
+		 */
+		current_kvno = SAMBA_KVNO_GET_VALUE(current_kvno);
 	}
-	entry_ex->entry.kvno = kvno;
 
 	/* Get keys from the db */
 
@@ -709,6 +728,22 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 		}
 	}
 
+	returned_kvno = current_kvno;
+	if (is_krbtgt) {
+		/*
+		 * Even for the main krbtgt account
+		 * we have to strictly split the kvno into
+		 * two 16-bit parts and the upper 16-bit
+		 * need to be all zero, even if
+		 * the msDS-KeyVersionNumber has a value
+		 * larger than 65535.
+		 *
+		 * See https://bugzilla.samba.org/show_bug.cgi?id=14951
+		 */
+		returned_kvno = SAMBA_KVNO_AND_KRBTGT(returned_kvno, krbtgt_number);
+	}
+	entry->kvno = returned_kvno;
+
 out:
 	if (ret != 0) {
 		entry_ex->entry.keys.len = 0;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list